remove dependency on bouncycastle

by internalizing CMAC implementation

Author: overheadhunter

pom.xml

@@ -1,5 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		 xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>org.cryptomator</groupId>
 	<artifactId>siv-mode</artifactId>
@@ -37,28 +38,21 @@
 		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
 		<project.build.outputTimestamp>2025-03-14T12:02:43Z</project.build.outputTimestamp>
 
-		<!-- dependencies -->
-		<bouncycastle.version>1.80</bouncycastle.version>
-
 		<!-- test dependencies -->
 		<junit.version>5.12.0</junit.version>
-		<mockito.version>5.15.2</mockito.version>
+		<mockito.version>5.20.0</mockito.version>
 		<jmh.version>1.37</jmh.version>
 		<hamcrest.version>3.0</hamcrest.version>
 		<guava.version>33.4.0-jre</guava.version>
 
 		<!-- maven plugins -->
 		<dependency-check.version>12.1.1</dependency-check.version>
+
+		<!-- Property used by surefire to determine jacoco engine -->
+		<surefire.jacoco.args/>
 	</properties>
 
 	<dependencies>
-		<dependency>
-			<groupId>org.bouncycastle</groupId>
-			<artifactId>bcprov-jdk18on</artifactId>
-			<version>${bouncycastle.version}</version>
-			<!-- see maven-shade-plugin; we don't want this as a transitive dependency in other projects -->
-			<optional>true</optional>
-		</dependency>
 		<dependency>
 			<groupId>org.jetbrains</groupId>
 			<artifactId>annotations</artifactId>
@@ -134,13 +128,33 @@
 					</execution>
 				</executions>
 			</plugin>
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-dependency-plugin</artifactId>
+				<executions>
+					<execution>
+						<id>jar-paths-to-properties</id>
+						<phase>validate</phase>
+						<goals>
+							<goal>properties</goal>
+						</goals>
+					</execution>
+				</executions>
+			</plugin>
 			<plugin>
 				<artifactId>maven-compiler-plugin</artifactId>
 				<version>3.14.0</version>
 				<configuration>
 					<release>8</release>
 					<encoding>UTF-8</encoding>
 					<showWarnings>true</showWarnings>
+					<annotationProcessorPaths>
+						<path>
+							<groupId>org.openjdk.jmh</groupId>
+							<artifactId>jmh-generator-annprocess</artifactId>
+							<version>${jmh.version}</version>
+						</path>
+					</annotationProcessorPaths>
 				</configuration>
 				<executions>
 					<execution>
@@ -163,6 +177,9 @@
 				<groupId>org.apache.maven.plugins</groupId>
 				<artifactId>maven-surefire-plugin</artifactId>
 				<version>3.5.3</version>
+				<configuration>
+					<argLine>@{surefire.jacoco.args} -javaagent:${org.mockito:mockito-core:jar}</argLine>
+				</configuration>
 			</plugin>
 			<plugin>
 				<artifactId>maven-jar-plugin</artifactId>
@@ -208,43 +225,6 @@
 					<release>8</release>
 				</configuration>
 			</plugin>
-			<plugin>
-				<artifactId>maven-shade-plugin</artifactId>
-				<version>3.6.0</version>
-				<executions>
-					<execution>
-						<phase>package</phase>
-						<goals>
-							<goal>shade</goal>
-						</goals>
-						<configuration>
-							<minimizeJar>true</minimizeJar>
-							<keepDependenciesWithProvidedScope>false</keepDependenciesWithProvidedScope>
-							<createDependencyReducedPom>false</createDependencyReducedPom>
-							<createSourcesJar>false</createSourcesJar>
-							<artifactSet>
-								<includes>
-									<include>org.bouncycastle:bcprov-jdk18on</include>
-								</includes>
-							</artifactSet>
-							<relocations>
-								<relocation>
-									<pattern>org.bouncycastle</pattern>
-									<shadedPattern>org.cryptomator.siv.org.bouncycastle</shadedPattern>
-								</relocation>
-							</relocations>
-							<filters>
-								<filter>
-									<artifact>org.bouncycastle:bcprov-jdk18on</artifact>
-									<excludes>
-										<exclude>META-INF/**</exclude>
-									</excludes>
-								</filter>
-							</filters>
-						</configuration>
-					</execution>
-				</executions>
-			</plugin>
 		</plugins>
 	</build>
 
@@ -292,6 +272,9 @@
 								<goals>
 									<goal>prepare-agent</goal>
 								</goals>
+								<configuration>
+									<propertyName>surefire.jacoco.args</propertyName>
+								</configuration>
 							</execution>
 						</executions>
 						<!-- workaround for https://github.com/jacoco/jacoco/issues/407 -->
@@ -340,7 +323,7 @@
 						<extensions>true</extensions>
 						<configuration>
 							<publishingServerId>central</publishingServerId>
- 							<autoPublish>true</autoPublish>
+							<autoPublish>true</autoPublish>
 						</configuration>
 					</plugin>
 				</plugins>

src/main/java/org/cryptomator/siv/CMac.java

@@ -0,0 +1,186 @@
+package org.cryptomator.siv;
+
+import javax.crypto.BadPaddingException;
+import javax.crypto.Cipher;
+import javax.crypto.IllegalBlockSizeException;
+import javax.crypto.MacSpi;
+import javax.crypto.NoSuchPaddingException;
+import javax.crypto.spec.SecretKeySpec;
+import java.security.InvalidKeyException;
+import java.security.Key;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.spec.AlgorithmParameterSpec;
+import java.util.Arrays;
+
+/**
+ * AES-CMAC (Cipher-based Message Authentication Code).
+ * Specs: <a href="https://www.rfc-editor.org/rfc/rfc4493.html">RFC 4493</a>.
+ */
+class CMac extends MacSpi {
+
+	private static final int BLOCK_SIZE = 16; // 128 bits for AES
+	private static final String AES_ALGORITHM = "AES";
+	private static final String AES_ECB_NO_PADDING = "AES/ECB/NoPadding";
+
+	// MAC keys:
+	private Cipher cipher;
+	private byte[] k1;
+	private byte[] k2;
+
+	// MAC state:
+	private int bufferPos = 0;
+	private byte[] buffer = new byte[BLOCK_SIZE];
+	private byte[] x = new byte[BLOCK_SIZE]; // X := const_Zero;
+	private byte[] y = new byte[BLOCK_SIZE];
+	private int msgLen = 0;
+
+	@Override
+	protected int engineGetMacLength() {
+		return BLOCK_SIZE;
+	}
+
+	@Override
+	protected void engineInit(Key key, AlgorithmParameterSpec params) throws InvalidKeyException {
+		try {
+			this.cipher = Cipher.getInstance(AES_ECB_NO_PADDING);
+		} catch (NoSuchAlgorithmException | NoSuchPaddingException e) {
+			throw new AssertionError("Every implementation of the Java platform is required to support [...] AES/ECB/NoPadding", e);
+		}
+		cipher.init(Cipher.ENCRYPT_MODE, key);
+
+		// init subkeys K1 and K2
+		// see https://www.rfc-editor.org/rfc/rfc4493.html#section-2.3
+		byte[] L = new byte[BLOCK_SIZE];
+		try {
+			// L = AES_encrypt(K, const_Zero)
+			L = encryptBlock(cipher, L);
+			this.k1 = SivMode.dbl(L);
+			this.k2 = SivMode.dbl(k1);
+		} finally {
+			Arrays.fill(L, (byte) 0);
+		}
+	}
+
+	@Override
+	protected void engineUpdate(byte input) {
+		if (bufferPos == BLOCK_SIZE) { // buffer is full
+			processBlock();
+		}
+		assert bufferPos < BLOCK_SIZE;
+		buffer[bufferPos++] = input;
+		msgLen++;
+	}
+
+	@Override
+	protected void engineUpdate(byte[] input, int offset, int len) {
+		assert bufferPos < BLOCK_SIZE;
+		for (int i = offset; i < offset + len; ) {
+			if (bufferPos == BLOCK_SIZE) { // buffer is full
+				processBlock();
+			}
+			int required = offset + len - i;
+			int available = BLOCK_SIZE - bufferPos;
+			int m = Math.min(required, available);
+			System.arraycopy(input, i, buffer, bufferPos, m);
+			bufferPos += m;
+			i += m;
+		}
+		msgLen += len;
+	}
+
+	// https://www.rfc-editor.org/rfc/rfc4493.html#section-2.4 Step 6
+	private void processBlock() {
+		y = SivMode.xor(x, buffer); // Y := X XOR M_i;
+		x = encryptBlock(cipher, y); // X := AES-128(K,Y);
+		bufferPos = 0;
+	}
+
+	// https://www.rfc-editor.org/rfc/rfc4493.html#section-2.4
+	@Override
+	protected byte[] engineDoFinal() {
+		// Step 3:
+		boolean flag = msgLen > 0 && bufferPos % BLOCK_SIZE == 0; // denoting if last block is complete or not
+
+		// Step 4:
+		byte[] m_last;
+		if (flag) {
+			// M_last := M_n XOR K1;
+			m_last = SivMode.xor(buffer, k1);
+		} else {
+			// M_last := padding(M_n) XOR K2;
+			//
+			// [...] padding(x) is the concatenation of x and a single '1',
+			// followed by the minimum number of '0's, so that the total length is
+			// equal to 128 bits.
+			buffer[bufferPos] = (byte) 0x80; // single '1' bit
+			if (bufferPos + 1 < BLOCK_SIZE) {
+				Arrays.fill(buffer, bufferPos + 1, BLOCK_SIZE, (byte) 0x00); // followed by '0' bits
+			}
+			m_last = SivMode.xor(buffer, k2);
+		}
+
+		// Step 7:
+		y = SivMode.xor(m_last, x); // Y := M_last XOR X;
+		try {
+			return encryptBlock(cipher, y); // T := AES-128(K,Y);
+		} finally {
+			engineReset();
+		}
+	}
+
+	@Override
+	protected void engineReset() {
+		bufferPos = 0;
+		msgLen = 0;
+		Arrays.fill(buffer, (byte) 0);
+		Arrays.fill(x, (byte) 0);
+		Arrays.fill(y, (byte) 0);
+	}
+
+	// TODO make instance method, remove cipher param?
+	private static byte[] encryptBlock(Cipher cipher, byte[] block) {
+		try {
+			return cipher.doFinal(block);
+		} catch (IllegalBlockSizeException e) {
+			throw new IllegalArgumentException(e);
+		} catch (BadPaddingException e) {
+			throw new AssertionError("Not in decrypt mode", e);
+		}
+	}
+
+	/**
+	 * Create a new CMAC instance for incremental message processing
+	 */
+	public static CMac create(byte[] key) {
+		if (key.length != 16 && key.length != 24 && key.length != 32) {
+			throw new IllegalArgumentException("Invalid key length. Must be 16, 24, or 32 bytes");
+		}
+		try {
+			SecretKeySpec keySpec = new SecretKeySpec(key, AES_ALGORITHM);
+
+			CMac mac = new CMac();
+			mac.engineInit(keySpec, null);
+			return mac;
+		} catch (InvalidKeyException e) {
+			throw new IllegalArgumentException("Invalid key", e);
+		}
+	}
+
+	/**
+	 * One-shot CMAC computation
+	 */
+	public static byte[] tag(byte[] key, byte[] message) {
+		CMac cmac = create(key);
+		cmac.engineUpdate(message, 0, message.length);
+		return cmac.engineDoFinal();
+	}
+
+	/**
+	 * Verify CMAC tag
+	 */
+	public static boolean verify(byte[] key, byte[] message, byte[] tag) {
+		byte[] computedTag = tag(key, message);
+		return MessageDigest.isEqual(computedTag, tag);
+	}
+}